diff --git a/policy-20071130.patch b/policy-20071130.patch index c98a216..bd7e535 100644 --- a/policy-20071130.patch +++ b/policy-20071130.patch @@ -4528,7 +4528,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/userhelp ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.fc serefpolicy-3.2.6/policy/modules/apps/vmware.fc --- nsaserefpolicy/policy/modules/apps/vmware.fc 2007-10-12 08:56:02.000000000 -0400 -+++ serefpolicy-3.2.6/policy/modules/apps/vmware.fc 2008-02-01 16:01:42.000000000 -0500 ++++ serefpolicy-3.2.6/policy/modules/apps/vmware.fc 2008-02-04 10:23:03.000000000 -0500 @@ -1,9 +1,9 @@ # # HOME_DIR/ @@ -4568,11 +4568,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.f ifdef(`distro_gentoo',` /opt/vmware/workstation/bin/vmnet-bridge -- gen_context(system_u:object_r:vmware_host_exec_t,s0) -@@ -49,3 +55,4 @@ +@@ -49,3 +55,6 @@ /opt/vmware/workstation/bin/vmware-wizard -- gen_context(system_u:object_r:vmware_exec_t,s0) /opt/vmware/workstation/bin/vmware -- gen_context(system_u:object_r:vmware_exec_t,s0) ') +/var/log/vmware.* -- gen_context(system_u:object_r:vmware_log_t,s0) ++/var/run/vmnat.* -s gen_context(system_u:object_r:vmware_var_run_t,s0) ++/var/run/vmware.* gen_context(system_u:object_r:vmware_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.if serefpolicy-3.2.6/policy/modules/apps/vmware.if --- nsaserefpolicy/policy/modules/apps/vmware.if 2007-02-19 11:32:52.000000000 -0500 +++ serefpolicy-3.2.6/policy/modules/apps/vmware.if 2008-02-01 16:01:42.000000000 -0500 @@ -4747,7 +4749,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.2.6/policy/modules/kernel/corecommands.fc --- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2007-12-12 11:35:27.000000000 -0500 -+++ serefpolicy-3.2.6/policy/modules/kernel/corecommands.fc 2008-02-01 16:01:42.000000000 -0500 ++++ serefpolicy-3.2.6/policy/modules/kernel/corecommands.fc 2008-02-04 11:10:30.000000000 -0500 @@ -7,11 +7,11 @@ /bin/d?ash -- gen_context(system_u:object_r:shell_exec_t,s0) /bin/bash -- gen_context(system_u:object_r:shell_exec_t,s0) @@ -4799,13 +4801,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco /usr/share/apr-0/build/[^/]+\.sh -- gen_context(system_u:object_r:bin_t,s0) /usr/share/apr-0/build/libtool -- gen_context(system_u:object_r:bin_t,s0) -@@ -284,3 +291,6 @@ +@@ -284,3 +291,7 @@ ifdef(`distro_suse',` /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0) ') +/usr/lib(64)?/nspluginwrapper/npconfig gen_context(system_u:object_r:bin_t,s0) +/usr/lib(64)?/nspluginwrapper/npviewer gen_context(system_u:object_r:bin_t,s0) + ++/usr/lib(64)?/ConsoleKit/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.2.6/policy/modules/kernel/corecommands.if --- nsaserefpolicy/policy/modules/kernel/corecommands.if 2007-11-14 08:17:58.000000000 -0500 +++ serefpolicy-3.2.6/policy/modules/kernel/corecommands.if 2008-02-01 16:01:42.000000000 -0500 @@ -5457,7 +5460,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.2.6/policy/modules/kernel/files.if --- nsaserefpolicy/policy/modules/kernel/files.if 2007-10-29 18:02:31.000000000 -0400 -+++ serefpolicy-3.2.6/policy/modules/kernel/files.if 2008-02-01 16:01:42.000000000 -0500 ++++ serefpolicy-3.2.6/policy/modules/kernel/files.if 2008-02-04 12:03:13.000000000 -0500 @@ -1266,6 +1266,24 @@ ######################################## @@ -6109,7 +6112,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac +/etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_script_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.2.6/policy/modules/services/apache.if --- nsaserefpolicy/policy/modules/services/apache.if 2007-10-23 17:17:42.000000000 -0400 -+++ serefpolicy-3.2.6/policy/modules/services/apache.if 2008-02-01 16:48:52.000000000 -0500 ++++ serefpolicy-3.2.6/policy/modules/services/apache.if 2008-02-04 10:16:22.000000000 -0500 @@ -18,10 +18,6 @@ attribute httpd_script_exec_type; type httpd_t, httpd_suexec_t, httpd_log_t; @@ -8205,16 +8208,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.fc serefpolicy-3.2.6/policy/modules/services/consolekit.fc --- nsaserefpolicy/policy/modules/services/consolekit.fc 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.2.6/policy/modules/services/consolekit.fc 2008-02-01 16:01:42.000000000 -0500 ++++ serefpolicy-3.2.6/policy/modules/services/consolekit.fc 2008-02-04 11:46:55.000000000 -0500 @@ -1,3 +1,5 @@ /usr/sbin/console-kit-daemon -- gen_context(system_u:object_r:consolekit_exec_t,s0) /var/run/consolekit\.pid -- gen_context(system_u:object_r:consolekit_var_run_t,s0) + +/var/log/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_var_run_t,s0) +Binary files nsaserefpolicy/policy/modules/services/consolekit.pp and serefpolicy-3.2.6/policy/modules/services/consolekit.pp differ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.2.6/policy/modules/services/consolekit.te --- nsaserefpolicy/policy/modules/services/consolekit.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.6/policy/modules/services/consolekit.te 2008-02-01 22:35:15.000000000 -0500 ++++ serefpolicy-3.2.6/policy/modules/services/consolekit.te 2008-02-04 11:52:57.000000000 -0500 @@ -13,6 +13,9 @@ type consolekit_var_run_t; files_pid_file(consolekit_var_run_t) @@ -8225,7 +8229,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons ######################################## # # consolekit local policy -@@ -24,6 +27,9 @@ +@@ -24,20 +27,26 @@ allow consolekit_t self:unix_stream_socket create_stream_socket_perms; allow consolekit_t self:unix_dgram_socket create_socket_perms; @@ -8235,7 +8239,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons manage_files_pattern(consolekit_t,consolekit_var_run_t,consolekit_var_run_t) files_pid_filetrans(consolekit_t,consolekit_var_run_t, file) -@@ -36,8 +42,10 @@ + kernel_read_system_state(consolekit_t) + + corecmd_exec_bin(consolekit_t) ++corecmd_exec_shell(consolekit_t) + + dev_read_urand(consolekit_t) + dev_read_sysfs(consolekit_t) domain_read_all_domains_state(consolekit_t) domain_use_interactive_fds(consolekit_t) @@ -8246,7 +8256,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons # needs to read /var/lib/dbus/machine-id files_read_var_lib_files(consolekit_t) -@@ -50,12 +58,25 @@ +@@ -47,15 +56,31 @@ + + auth_use_nsswitch(consolekit_t) + ++init_telinit(consolekit_t) ++init_rw_utmp(consolekit_t) ++ libs_use_ld_so(consolekit_t) libs_use_shared_libs(consolekit_t) @@ -8273,17 +8289,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons hal_dbus_chat(consolekit_t) optional_policy(` -@@ -64,6 +85,32 @@ +@@ -64,6 +89,33 @@ ') optional_policy(` + polkit_domtrans_auth(consolekit_t) ++ polkit_search_lib(consolekit_t) +') + +optional_policy(` xserver_read_all_users_xauth(consolekit_t) xserver_stream_connect_xdm_xserver(consolekit_t) - ') ++ xserver_ptrace_xdm(consolekit_t) ++') + +optional_policy(` + #reading .Xauthity @@ -8298,14 +8316,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons +tunable_policy(`use_nfs_home_dirs',` + fs_dontaudit_list_nfs(consolekit_t) + fs_dontaudit_rw_nfs_files(consolekit_t) -+') + ') + +tunable_policy(`use_samba_home_dirs',` + fs_dontaudit_list_cifs(consolekit_t) + fs_dontaudit_rw_cifs_files(consolekit_t) +') + -+ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.2.6/policy/modules/services/cron.fc --- nsaserefpolicy/policy/modules/services/cron.fc 2006-11-16 17:15:21.000000000 -0500 +++ serefpolicy-3.2.6/policy/modules/services/cron.fc 2008-02-01 16:01:42.000000000 -0500 @@ -12652,7 +12669,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.2.6/policy/modules/services/mta.te --- nsaserefpolicy/policy/modules/services/mta.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.6/policy/modules/services/mta.te 2008-02-01 16:01:42.000000000 -0500 ++++ serefpolicy-3.2.6/policy/modules/services/mta.te 2008-02-04 12:04:01.000000000 -0500 @@ -6,6 +6,8 @@ # Declarations # @@ -12670,7 +12687,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. mta_base_mail_template(system) role system_r types system_mail_t; -@@ -37,30 +40,43 @@ +@@ -37,30 +40,45 @@ # # newalias required this, not sure if it is needed in 'if' file @@ -12679,6 +12696,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. read_files_pattern(system_mail_t,etc_mail_t,etc_mail_t) +read_files_pattern(system_mail_t,mailcontent_type,mailcontent_type) ++ ++files_read_all_tmp_files(system_mail_t) kernel_read_system_state(system_mail_t) kernel_read_network_state(system_mail_t) @@ -12715,7 +12734,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ') optional_policy(` -@@ -73,6 +89,7 @@ +@@ -73,6 +91,7 @@ optional_policy(` cron_read_system_job_tmp_files(system_mail_t) @@ -12723,7 +12742,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. cron_dontaudit_write_pipes(system_mail_t) ') -@@ -81,6 +98,11 @@ +@@ -81,6 +100,11 @@ ') optional_policy(` @@ -12735,7 +12754,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. logrotate_read_tmp_files(system_mail_t) ') -@@ -136,11 +158,33 @@ +@@ -136,11 +160,33 @@ ') optional_policy(` @@ -12753,7 +12772,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. -# should break this up among sections: +init_stream_connect_script(mailserver_delivery) +init_rw_script_stream_sockets(mailserver_delivery) -+ + +tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_dirs(mailserver_delivery) + fs_manage_cifs_files(mailserver_delivery) @@ -12765,12 +12784,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. + fs_manage_nfs_files(mailserver_delivery) + fs_manage_nfs_symlinks(mailserver_delivery) +') - ++ +# should break this up among sections: optional_policy(` # why is mail delivered to a directory of type arpwatch_data_t? arpwatch_search_data(mailserver_delivery) -@@ -154,3 +198,4 @@ +@@ -154,3 +200,4 @@ cron_read_system_job_tmp_files(mta_user_agent) ') ') @@ -14377,8 +14396,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polk +/var/lib/PolicyKit-public(/.*)? gen_context(system_u:object_r:polkit_var_lib_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.if serefpolicy-3.2.6/policy/modules/services/polkit.if --- nsaserefpolicy/policy/modules/services/polkit.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.2.6/policy/modules/services/polkit.if 2008-02-01 16:01:42.000000000 -0500 -@@ -0,0 +1,59 @@ ++++ serefpolicy-3.2.6/policy/modules/services/polkit.if 2008-02-04 11:48:36.000000000 -0500 +@@ -0,0 +1,62 @@ + +## policy for polkit_auth + @@ -14437,6 +14456,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polk + + files_search_var_lib($1) + read_files_pattern($1, polkit_var_lib_t, polkit_var_lib_t) ++ ++ # Broken placement ++ cron_read_system_job_lib_files($1) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.te serefpolicy-3.2.6/policy/modules/services/polkit.te --- nsaserefpolicy/policy/modules/services/polkit.te 1969-12-31 19:00:00.000000000 -0500 @@ -17750,7 +17772,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.2.6/policy/modules/services/sendmail.te --- nsaserefpolicy/policy/modules/services/sendmail.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.6/policy/modules/services/sendmail.te 2008-02-01 16:01:42.000000000 -0500 ++++ serefpolicy-3.2.6/policy/modules/services/sendmail.te 2008-02-04 12:03:27.000000000 -0500 @@ -20,13 +20,17 @@ mta_mailserver_delivery(sendmail_t) mta_mailserver_sender(sendmail_t) @@ -17779,7 +17801,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send corenet_all_recvfrom_unlabeled(sendmail_t) corenet_all_recvfrom_netlabel(sendmail_t) -@@ -69,10 +74,12 @@ +@@ -69,13 +74,16 @@ # for piping mail to a command corecmd_exec_shell(sendmail_t) @@ -17792,7 +17814,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send files_search_spool(sendmail_t) # for piping mail to a command files_read_etc_runtime_files(sendmail_t) -@@ -97,20 +104,35 @@ ++files_read_all_tmp_files(sendmail_t) + + init_use_fds(sendmail_t) + init_use_script_ptys(sendmail_t) +@@ -97,20 +105,35 @@ userdom_dontaudit_use_unpriv_user_fds(sendmail_t) userdom_dontaudit_search_sysadm_home_dirs(sendmail_t) @@ -17829,7 +17855,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send postfix_exec_master(sendmail_t) postfix_read_config(sendmail_t) postfix_search_spool(sendmail_t) -@@ -118,6 +140,7 @@ +@@ -118,6 +141,7 @@ optional_policy(` procmail_domtrans(sendmail_t) @@ -17837,7 +17863,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send ') optional_policy(` -@@ -125,24 +148,25 @@ +@@ -125,24 +149,25 @@ ') optional_policy(` @@ -20191,7 +20217,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser /var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.2.6/policy/modules/services/xserver.if --- nsaserefpolicy/policy/modules/services/xserver.if 2007-12-04 11:02:50.000000000 -0500 -+++ serefpolicy-3.2.6/policy/modules/services/xserver.if 2008-02-01 16:01:42.000000000 -0500 ++++ serefpolicy-3.2.6/policy/modules/services/xserver.if 2008-02-04 11:52:35.000000000 -0500 @@ -15,6 +15,7 @@ template(`xserver_common_domain_template',` gen_require(` @@ -20393,16 +20419,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser - manage_dirs_pattern($1_xauth_t,$1_xauth_tmp_t,$1_xauth_tmp_t) - manage_files_pattern($1_xauth_t,$1_xauth_tmp_t,$1_xauth_tmp_t) - files_tmp_filetrans($1_xauth_t, $1_xauth_tmp_t, { file dir }) +- +- domtrans_pattern($2, xauth_exec_t, $1_xauth_t) + domtrans_pattern($2, xauth_exec_t, xauth_t) -- domtrans_pattern($2, xauth_exec_t, $1_xauth_t) -- - allow $2 $1_xauth_t:process signal; + allow $2 xauth_t:process signal; # allow ps to show xauth - ps_process_pattern($2,$1_xauth_t) -- ++ ps_process_pattern($2,xauth_t) + - allow $2 $1_xauth_home_t:file manage_file_perms; - allow $2 $1_xauth_home_t:file { relabelfrom relabelto }; - @@ -20416,8 +20443,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser - - fs_getattr_xattr_fs($1_xauth_t) - fs_search_auto_mountpoints($1_xauth_t) -+ ps_process_pattern($2,xauth_t) - +- - # cjp: why? - term_use_ptmx($1_xauth_t) - @@ -20847,7 +20873,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ######################################## -@@ -1312,3 +1411,45 @@ +@@ -1312,3 +1411,63 @@ files_search_tmp($1) stream_connect_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t) ') @@ -20893,9 +20919,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + +') + ++######################################## ++## ++## Ptrace XDM ++## ++## ++## ++## Domain to not audit ++## ++## ++# ++interface(`xserver_ptrace_xdm',` ++ gen_require(` ++ type xdm_t; ++ ') ++ ++ allow $1 xdm_t:process ptrace; ++') ++ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.2.6/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.6/policy/modules/services/xserver.te 2008-02-01 16:01:42.000000000 -0500 ++++ serefpolicy-3.2.6/policy/modules/services/xserver.te 2008-02-04 11:50:03.000000000 -0500 @@ -16,6 +16,13 @@ ## @@ -20970,18 +21014,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser xserver_common_domain_template(xdm) init_system_domain(xdm_xserver_t,xserver_exec_t) -@@ -95,8 +134,8 @@ +@@ -95,8 +134,9 @@ # XDM Local policy # -allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service }; -allow xdm_t self:process { setexec setpgid getsched setsched setrlimit signal_perms setkeycreate }; +allow xdm_t self:capability { setgid setuid sys_ptrace sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service }; -+allow xdm_t self:process { setexec setpgid getsched ptrace setsched setrlimit signal_perms }; ++allow xdm_t self:process { getattr setexec setpgid getsched ptrace setsched setrlimit signal_perms }; ++ allow xdm_t self:fifo_file rw_fifo_file_perms; allow xdm_t self:shm create_shm_perms; allow xdm_t self:sem create_sem_perms; -@@ -109,6 +148,8 @@ +@@ -109,6 +149,8 @@ allow xdm_t self:key { search link write }; allow xdm_t xconsole_device_t:fifo_file { getattr setattr }; @@ -20990,7 +21035,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # Allow gdm to run gdm-binary can_exec(xdm_t, xdm_exec_t) -@@ -131,15 +172,22 @@ +@@ -131,15 +173,22 @@ manage_fifo_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t) manage_sock_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t) fs_tmpfs_filetrans(xdm_t,xdm_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) @@ -21014,7 +21059,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser allow xdm_t xdm_xserver_t:process signal; allow xdm_t xdm_xserver_t:unix_stream_socket connectto; -@@ -153,6 +201,7 @@ +@@ -153,6 +202,7 @@ allow xdm_t xdm_xserver_t:process { noatsecure siginh rlimitinh signal sigkill }; allow xdm_t xdm_xserver_t:shm rw_shm_perms; @@ -21022,7 +21067,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # connect to xdm xserver over stream socket stream_connect_pattern(xdm_t,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t) -@@ -184,6 +233,7 @@ +@@ -173,6 +223,8 @@ + + corecmd_exec_shell(xdm_t) + corecmd_exec_bin(xdm_t) ++# Uses DBUS ++corecmd_bin_entry_type(xdm_t) + + corenet_all_recvfrom_unlabeled(xdm_t) + corenet_all_recvfrom_netlabel(xdm_t) +@@ -184,6 +236,7 @@ corenet_udp_sendrecv_all_ports(xdm_t) corenet_tcp_bind_all_nodes(xdm_t) corenet_udp_bind_all_nodes(xdm_t) @@ -21030,7 +21084,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser corenet_tcp_connect_all_ports(xdm_t) corenet_sendrecv_all_client_packets(xdm_t) # xdm tries to bind to biff_port_t -@@ -196,6 +246,7 @@ +@@ -196,6 +249,7 @@ dev_getattr_mouse_dev(xdm_t) dev_setattr_mouse_dev(xdm_t) dev_rw_apm_bios(xdm_t) @@ -21038,7 +21092,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser dev_setattr_apm_bios_dev(xdm_t) dev_rw_dri(xdm_t) dev_rw_agp(xdm_t) -@@ -208,8 +259,8 @@ +@@ -208,8 +262,8 @@ dev_setattr_video_dev(xdm_t) dev_getattr_scanner_dev(xdm_t) dev_setattr_scanner_dev(xdm_t) @@ -21049,7 +21103,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser dev_getattr_power_mgmt_dev(xdm_t) dev_setattr_power_mgmt_dev(xdm_t) -@@ -226,6 +277,7 @@ +@@ -226,6 +280,7 @@ files_read_usr_files(xdm_t) # Poweroff wants to create the /poweroff file when run from xdm files_create_boot_flag(xdm_t) @@ -21057,7 +21111,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser fs_getattr_all_fs(xdm_t) fs_search_auto_mountpoints(xdm_t) -@@ -245,6 +297,7 @@ +@@ -245,6 +300,7 @@ auth_domtrans_pam_console(xdm_t) auth_manage_pam_pid(xdm_t) auth_manage_pam_console_data(xdm_t) @@ -21065,7 +21119,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser auth_rw_faillog(xdm_t) auth_write_login_records(xdm_t) -@@ -256,12 +309,11 @@ +@@ -256,12 +312,11 @@ libs_exec_lib_files(xdm_t) logging_read_generic_logs(xdm_t) @@ -21079,7 +21133,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser userdom_dontaudit_use_unpriv_user_fds(xdm_t) userdom_dontaudit_search_sysadm_home_dirs(xdm_t) userdom_create_all_users_keys(xdm_t) -@@ -270,6 +322,10 @@ +@@ -270,6 +325,10 @@ # Search /proc for any user domain processes. userdom_read_all_users_state(xdm_t) userdom_signal_all_users(xdm_t) @@ -21090,7 +21144,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser xserver_rw_session_template(xdm,xdm_t,xdm_tmpfs_t) -@@ -304,7 +360,16 @@ +@@ -304,7 +363,16 @@ ') optional_policy(` @@ -21107,7 +21161,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') optional_policy(` -@@ -322,6 +387,10 @@ +@@ -322,6 +390,10 @@ ') optional_policy(` @@ -21118,7 +21172,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser loadkeys_exec(xdm_t) ') -@@ -343,8 +412,8 @@ +@@ -335,6 +407,11 @@ + ') + + optional_policy(` ++ polkit_domtrans_auth(xdm_t) ++ polkit_read_lib(xdm_t) ++') ++ ++optional_policy(` + seutil_sigchld_newrole(xdm_t) + ') + +@@ -343,8 +420,8 @@ ') optional_policy(` @@ -21128,7 +21194,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ifndef(`distro_redhat',` allow xdm_t self:process { execheap execmem }; -@@ -380,7 +449,7 @@ +@@ -380,7 +457,7 @@ allow xdm_xserver_t xdm_var_lib_t:file { getattr read }; dontaudit xdm_xserver_t xdm_var_lib_t:dir search; @@ -21137,7 +21203,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # Label pid and temporary files with derived types. manage_files_pattern(xdm_xserver_t,xdm_tmp_t,xdm_tmp_t) -@@ -392,6 +461,15 @@ +@@ -392,6 +469,15 @@ can_exec(xdm_xserver_t, xkb_var_lib_t) files_search_var_lib(xdm_xserver_t) @@ -21153,7 +21219,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # VNC v4 module in X server corenet_tcp_bind_vnc_port(xdm_xserver_t) -@@ -404,6 +482,7 @@ +@@ -404,6 +490,7 @@ # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_unpriv_users_home_content_files(xdm_xserver_t) @@ -21161,7 +21227,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser xserver_use_all_users_fonts(xdm_xserver_t) -@@ -420,6 +499,14 @@ +@@ -420,6 +507,14 @@ ') optional_policy(` @@ -21176,7 +21242,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser resmgr_stream_connect(xdm_t) ') -@@ -429,47 +516,103 @@ +@@ -429,47 +524,103 @@ ') optional_policy(` @@ -21909,7 +21975,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hotplu optional_policy(` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.2.6/policy/modules/system/init.if --- nsaserefpolicy/policy/modules/system/init.if 2007-10-29 18:02:31.000000000 -0400 -+++ serefpolicy-3.2.6/policy/modules/system/init.if 2008-02-01 16:01:42.000000000 -0500 ++++ serefpolicy-3.2.6/policy/modules/system/init.if 2008-02-04 12:02:32.000000000 -0500 @@ -211,6 +211,13 @@ kernel_dontaudit_use_fds($1) ') @@ -22077,7 +22143,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i ') ######################################## -@@ -1252,7 +1289,7 @@ +@@ -1097,6 +1134,25 @@ + + ######################################## + ## ++## Read init script temporary data. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`init_read_script_tmp_files',` ++ gen_require(` ++ type initrc_tmp_t; ++ ') ++ ++ files_search_tmp($1) ++ read_files_pattern($1,initrc_tmp_t,initrc_tmp_t) ++') ++ ++######################################## ++## + ## Create files in a init script + ## temporary data directory. + ## +@@ -1252,7 +1308,7 @@ type initrc_var_run_t; ') @@ -22086,7 +22178,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i ') ######################################## -@@ -1273,3 +1310,92 @@ +@@ -1273,3 +1329,92 @@ files_search_pids($1) allow $1 initrc_var_run_t:file manage_file_perms; ') @@ -22181,7 +22273,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.2.6/policy/modules/system/init.te --- nsaserefpolicy/policy/modules/system/init.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.6/policy/modules/system/init.te 2008-02-01 16:01:42.000000000 -0500 ++++ serefpolicy-3.2.6/policy/modules/system/init.te 2008-02-04 11:10:57.000000000 -0500 @@ -10,6 +10,20 @@ # Declarations # @@ -23045,7 +23137,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfi +HOME_DIR/\.fontconfig(/.*)? gen_context(system_u:object_r:user_fonts_home_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.2.6/policy/modules/system/miscfiles.if --- nsaserefpolicy/policy/modules/system/miscfiles.if 2007-11-16 13:45:14.000000000 -0500 -+++ serefpolicy-3.2.6/policy/modules/system/miscfiles.if 2008-02-01 16:01:42.000000000 -0500 ++++ serefpolicy-3.2.6/policy/modules/system/miscfiles.if 2008-02-04 08:26:35.000000000 -0500 @@ -489,3 +489,44 @@ manage_lnk_files_pattern($1,locale_t,locale_t) ') @@ -25015,7 +25107,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.2.6/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2007-11-29 13:29:35.000000000 -0500 -+++ serefpolicy-3.2.6/policy/modules/system/userdomain.if 2008-02-01 22:19:29.000000000 -0500 ++++ serefpolicy-3.2.6/policy/modules/system/userdomain.if 2008-02-04 08:23:21.000000000 -0500 @@ -29,9 +29,14 @@ ') @@ -28179,8 +28271,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.i + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.te serefpolicy-3.2.6/policy/modules/system/virt.te --- nsaserefpolicy/policy/modules/system/virt.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.2.6/policy/modules/system/virt.te 2008-02-02 17:10:42.000000000 -0500 -@@ -0,0 +1,135 @@ ++++ serefpolicy-3.2.6/policy/modules/system/virt.te 2008-02-04 11:23:06.000000000 -0500 +@@ -0,0 +1,137 @@ + +policy_module(virt,1.0.0) + @@ -28256,10 +28348,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.t +logging_log_filetrans(virtd_t, virt_log_t, { file dir } ) + +read_files_pattern(virtd_t, virt_etc_t, virt_etc_t) ++read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t) + +manage_dirs_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) +manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) -+files_trans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir) ++manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) ++filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir) + +corenet_all_recvfrom_unlabeled(virtd_t) +corenet_all_recvfrom_netlabel(virtd_t) @@ -28699,8 +28793,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/staff.i +## Policy for staff user diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/staff.te serefpolicy-3.2.6/policy/modules/users/staff.te --- nsaserefpolicy/policy/modules/users/staff.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.2.6/policy/modules/users/staff.te 2008-02-01 16:01:42.000000000 -0500 -@@ -0,0 +1,47 @@ ++++ serefpolicy-3.2.6/policy/modules/users/staff.te 2008-02-04 08:26:47.000000000 -0500 +@@ -0,0 +1,51 @@ +policy_module(staff,1.0.1) +userdom_unpriv_user_template(staff) + @@ -28708,6 +28802,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/staff.t +userdom_role_change_template(staff, sysadm) +userdom_dontaudit_use_sysadm_terms(staff_t) + ++allow $staff_t self:capability sys_nice; ++ +domain_read_all_domains_state(staff_t) +domain_getattr_all_domains(staff_t) + @@ -28716,6 +28812,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/staff.t +modutils_read_module_config(staff_t) +modutils_read_module_deps(staff_t) + ++miscfiles_read_hwdata(staff_t) ++ +sudo_per_role_template(staff, staff_t, staff_r) +seutil_run_newrole(staff_t, staff_r, { staff_tty_device_t staff_devpts_t }) +